Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



‘Sowbug’ Hackers Hit Diplomatic Targets Since 2015

A cyberespionage group that has been active since at least early-2015 has been targeting organizations in South America and Southeast Asia, while focusing mainly on foreign policy institutions and diplomatic targets, Symantec reports.

A cyberespionage group that has been active since at least early-2015 has been targeting organizations in South America and Southeast Asia, while focusing mainly on foreign policy institutions and diplomatic targets, Symantec reports.

Called Sowbug by Symantec, the group is using a piece of malware called Felismus, which was detailed earlier this year. The malware is a modular Remote Access Trojan (RAT) that packs anti-analysis functions and self-updating routines, and which is capable of file upload, file download, file execution, and shell (cmd.exe) command execution.

According to Symantec, the hackers managed to infiltrate organizations in Argentina, Brazil, Ecuador, Peru, Brunei and Malaysia with the purpose of stealing documents.

“The group is well resourced, capable of infiltrating multiple targets simultaneously and will often operate outside the working hours of targeted organizations in order to maintain a low profile,” Symantec says.

An attack conducted in May 2015 on one South American foreign ministry was focused on the division of the ministry responsible for relations with the Asia-Pacific region. The hackers attempted to steal Word documents stored on a file server using a command that would bundle them into a RAR archive.

After successfully exfiltrating 4 days’ worth of data, the attackers proceeded to list all remote shared drives and attempted to access remote shares owned by the targeted division, also looking to extract all Word documents. The attackers then listed the contents of various directories on remote shares, including one belonging to the division responsible for relations with international organizations.

The attackers also deployed two unknown payloads to an infected server and maintained a presence on the target’s network for four months between May and September 2015.

Advertisement. Scroll to continue reading.

This is a typical tactic for the group, which frequently maintains a long-term presence on the networks of targeted organizations, sometimes for up to six months. For that, it impersonates commonly used software packages such as Windows or Adobe Reader by renaming its tools with similar names and hiding in plain sight.

In September 2016, the group deployed the Felismus backdoor on one of the computers of an organization in Asia using the file name adobecms.exe. Next, they installed additional components and tools to a directory and started performing reconnaissance activities. Several days later, they created a sub-directory Program FilesAdobecommon and installed another tool in it, also as adobecms.exe.

The attackers supposedly performed successful network reconnaissance operations, as they managed to compromise another computer within the organization. Next, they returned to the initially compromised machine and installed an executable called fb.exe, which appears designed to copy Felismus across the network to other computers. The group maintained a presence on the target’s network until March 2017.

What the security researchers haven’t yet discovered is how Sowbug performs its initial infiltration of a target’s network. In some instances, it appears to have been deployed from other compromised computers on the network, while in others the tool known as Starloader might have been used for infection.

The same loader was observed deploying additional tools, such as credential dumpers and keyloggers, but the manner in which the loader is installed on the compromised computers remains a mystery. Fake software updates might have been employed, being used to create versions of the Felismus backdoor as well as other tools, Symantec says.

“While cyber espionage attacks are often seen against targets in the U.S., Europe, and Asia, it is much less common to see South American countries targeted. However, the number of active cyber espionage operations has increased steadily in recent years and the emergence of Sowbug is a reminder that no region is immune to this kind of threat,” Symantec notes.

Related: Modular Felismus RAT Emerges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...